Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

PIX VPN/XP CLient question.

Posted on 2006-07-03
6
Medium Priority
?
308 Views
Last Modified: 2010-04-12
I have a user who telecommutes from home over VPN.  The problem is - when he's connected to the VPN - he can't browse web pages external to the office network - only internal web sites.  It seems I have had success in the past in VPN Properties/Networking Tab/Internet Protocol (TCP/IP)/Properties button/Advanced Button/check "Use default gateway on remote network".  But this hasn't been a consistent fix...  Any ideas?
0
Comment
Question by:LTWadmin
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
6 Comments
 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
ID: 17033992
Which client does he use? PIX supports both Cisco VPN client and the Microsoft PPTP client.
Microsoft client works if you un-check the use default gateway on remote network box, but may break their ability to access internal resources.
Cisco client is totally controlled by the PIX. The network admin would have to enable "split-tunneling" which may or may not be against company policy.
0
 

Author Comment

by:LTWadmin
ID: 17123636
Irmoore -

Thanks.  He's using the the Microsoft PPTP Client in XP Pro.  Is split tunneling a security risk?
0
 
LVL 9

Assisted Solution

by:muff
muff earned 500 total points
ID: 17125961

Split-tunnelling can be a risk because it enables a PC to be connected to untrusted and trusted networks simultaneously.  Untrusted = the internet.

Imagine a piece of malicious software that connected to an attackers site and waited for instructions while the VPN client was connected to the company network.  The user PC could then provide the attacker the same level of access to the company network as the user.

This risk can be mitigated somewhat by ensuring that the users antivirus software is up to date prior to allowing a connection, and limiting what the user can install on their PC.

A more secure alternative that provides the user with access to the web while connected to the company network would be to use a proxy server that is on the company network.  In other words, don't use split-tunnelling at all - web requests would be forwarded to the proxy which would request the web page on the users behalf.

koan
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 17126380
Yes, split tunneling is a "HUGE" risk.
Problem with using Microsoft client is that the USER is in full control with one little tick of the box []Use default gateway on remote network. Un-tick it and split-tunneling is enabled.
Cisco VPN client is 100% controlled by the ADMIN
One of the best solutions is to setup a web proxy at HQ, force use of Cisco VPN client and force users to go through the proxy.
The reason that it is not consistent is because of the classful nature of PPTP. It all depends on the class of the IP address assigned to the client and to the remote lan.. I can explain that further if necessary, but it's a lesson in classful IP networks....
0

Featured Post

Q2 2017 - Latest Malware & Internet Attacks

WatchGuard’s Threat Lab is a group of dedicated threat researchers committed to helping you stay ahead of the bad guys by providing in-depth analysis of the top security threats to your network.  Check out our latest Quarterly Internet Security Report!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

One of the Top 10  common Cisco VPN problems are not-matching shared keys. This is an easy one to fix, but not always easy to notice, see the case below. A simple IPsec tunnel between fast Ethernet interfaces of routers SW1 (f1/1) and R1(f0/0). …
How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
Suggested Courses

610 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question